Closed Bug 1499108 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free [@ fetch_add] with WRITE of size 8

Categories

(Core :: Storage: IndexedDB, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 67+ fixed
firefox64 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: janv)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [fixed by bug 1538619][adv-main67+][adv-esr60.7+])

Found while fuzzing mozilla-central rev 7a0840d60252. I don't currently have a working testcase but will update if one becomes available. ==13706==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000349a88 at pc 0x7f05bba1debb bp 0x7f0557eb7cb0 sp 0x7f0557eb7ca8 WRITE of size 8 at 0x616000349a88 thread T33 (IPDL Background) #0 0x7f05bba1deba in fetch_add src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:618:16 #1 0x7f05bba1deba in operator++ src/obj-firefox/dist/include/nsISupportsImpl.h:343 #2 0x7f05bba1deba in AddRef src/dom/indexedDB/ActorsParent.cpp:6379 #3 0x7f05bba1deba in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:44 #4 0x7f05bba1deba in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:415 #5 0x7f05bba1deba in RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:118 #6 0x7f05bba1deba in Construct<mozilla::dom::indexedDB::(anonymous namespace)::Database *&> src/obj-firefox/dist/include/nsTArray.h:554 #7 0x7f05bba1deba in AppendElement<mozilla::dom::indexedDB::(anonymous namespace)::Database *&, nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:2577 #8 0x7f05bba1deba in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::AbortOperations(nsTSubstring<char> const&) src/dom/indexedDB/ActorsParent.cpp:17659 #9 0x7f05bba1f3b3 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads() src/dom/indexedDB/ActorsParent.cpp:17735:3 #10 0x7f05bb457557 in mozilla::dom::quota::QuotaManager::Shutdown() src/dom/quota/ActorsParent.cpp:3668:22 #11 0x7f05bb45708e in mozilla::dom::quota::QuotaManager::ShutdownRunnable::Run() src/dom/quota/ActorsParent.cpp:2834:19 #12 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #13 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #14 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5 #15 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #16 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #17 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #18 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #19 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #20 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #21 0x7f05d4ea241c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x616000349a88 is located 520 bytes inside of 528-byte region [0x616000349880,0x616000349a90) freed by thread T33 (IPDL Background) here: #0 0x563709240372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f05bb9e9cb8 in mozilla::dom::indexedDB::(anonymous namespace)::VersionChangeTransaction::~VersionChangeTransaction() src/dom/indexedDB/ActorsParent.cpp:15706:1 #2 0x7f05bb977126 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::SendPreprocessInfoOrResults(bool) src/dom/indexedDB/ActorsParent.cpp:23511:5 #3 0x7f05bb96e718 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::Run() src/dom/indexedDB/ActorsParent.cpp #4 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #5 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #6 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5 #7 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #8 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #9 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #10 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #11 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #12 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) previously allocated by thread T33 (IPDL Background) here: #0 0x5637092406b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x563709271acd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f05bb963cb4 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12 #3 0x7f05bb963cb4 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::EnsureDatabaseActor() src/dom/indexedDB/ActorsParent.cpp:22292 #4 0x7f05bb942de2 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::BeginVersionChange() src/dom/indexedDB/ActorsParent.cpp:21939:3 #5 0x7f05bb936727 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() src/dom/indexedDB/ActorsParent.cpp #6 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #7 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #8 0x7f05b3912004 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:364:5 #9 0x7f05b381325c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #10 0x7f05b381325c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #11 0x7f05b381325c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #12 0x7f05b26f19f3 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #13 0x7f05d61dd008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #14 0x7f05d5e256b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Thread T33 (IPDL Background) created by T0 here: #0 0x56370922973d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7f05d61d9d45 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7f05d61d992e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7f05b26f4988 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:719:8 #4 0x7f05b2700d7e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:485:22 #5 0x7f05b2705687 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7f05b38d7912 in NS_NewNamedThread<16> src/obj-firefox/dist/include/nsThreadUtils.h:75:10 #7 0x7f05b38d7912 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() src/ipc/glue/BackgroundImpl.cpp:1015 #8 0x7f05b38dd16a in RunOnMainThread src/ipc/glue/BackgroundImpl.cpp:1330:30 #9 0x7f05b38dd16a in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() src/ipc/glue/BackgroundImpl.cpp:1351 #10 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #11 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #12 0x7f05b26f70fa in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:953:22)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25 #13 0x7f05b26f70fa in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:953 #14 0x7f05b485ad6b in applyImpl<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1191:12 #15 0x7f05b485ad6b in apply<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1197 #16 0x7f05b485ad6b in mozilla::detail::RunnableMethodImpl<RefPtr<nsIThread>, nsresult (nsIThread::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1242 #17 0x7f05b26f9566 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #18 0x7f05b270208d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #19 0x7f05b270166e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:558:36)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25 #20 0x7f05b270166e in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) src/xpcom/threads/nsThreadManager.cpp:558 #21 0x7f05b27357e1 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #22 0x7f05b495cf3f in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1723:12 #23 0x7f05b495cf3f in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1268 #24 0x7f05b495cf3f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1232 #25 0x7f05b496398f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019:12 #26 0x7f05c26c3b3b in CallJSNative src/js/src/vm/Interpreter.cpp:461:15 #27 0x7f05c26c3b3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:553 #28 0x7f05c26acabe in CallFromStack src/js/src/vm/Interpreter.cpp:613:12 #29 0x7f05c26acabe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3451 #30 0x7f05c2691d8b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:440:12 #31 0x7f05c26c464e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:580:15 #32 0x7f05c26c63e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:626:10 #33 0x7f05c1b89382 in js::fun_apply(JSContext*, unsigned int, JS::Value*) src/js/src/vm/JSFunction.cpp:1379:12 #34 0x7f05c26c3b3b in CallJSNative src/js/src/vm/Interpreter.cpp:461:15 #35 0x7f05c26c3b3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:553 #36 0x7f05c26acabe in CallFromStack src/js/src/vm/Interpreter.cpp:613:12 #37 0x7f05c26acabe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3451 #38 0x7f05c2691d8b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:440:12 #39 0x7f05c26c464e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:580:15 #40 0x7f05c26c63e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:626:10 #41 0x7f05c17a00b0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2915:12 #42 0x7f05b493d4af in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1206:23 #43 0x7f05b2736ee8 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37 #44 0x7f05b2735dba in SharedStub (/home/ubuntu/firefox/libxul.so+0x4701dba) #45 0x7f05c09fe183 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:1027:11 #46 0x7f05c09d328e in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4607:16 #47 0x7f05c09d6c9b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4922:8 #48 0x7f05c09d8853 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5014:21 #49 0x5637092709ac in do_main src/browser/app/nsBrowserApp.cpp:233:22 #50 0x5637092709ac in main src/browser/app/nsBrowserApp.cpp:315 #51 0x7f05d4dbb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:618:16 in fetch_add Shadow bytes around the buggy address: 0x0c2c80061300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c80061310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80061320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80061330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80061340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2c80061350: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c80061360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c80061370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80061380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c80061390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c800613a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13706==ABORTING
Group: core-security → dom-core-security
Assignee: nobody → jvarga
Priority: -- → P1
Jan, this is a critical bug can you take a look?
Flags: needinfo?(jvarga)
Looking.
Flags: needinfo?(jvarga)
This looks related to bug 1499719: the memory was freed under similar circumstances and the illegal access happens when aborting operations.
Yeah, those two look very similar.

This might get fixed in bug 1538619.

(In reply to Jan Varga [:janv] from comment #5)

This might get fixed in bug 1538619.

Jan, can you CC me on this?

Depends on: 1538619

This should be fixed by patch in bug 1538619.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Group: dom-core-security → core-security-release
Whiteboard: [fixed by bug 1538619]

Patch in bug 1538619 was uplifted to beta 67.0b12.

(In reply to Liz Henry (:lizzard) (use needinfo) from comment #8)

Patch in bug 1538619 was uplifted to beta 67.0b12.

And to esr, for ESR 60.7.

Whiteboard: [fixed by bug 1538619] → [fixed by bug 1538619][adv-main67+][adv-esr60.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.